TerraformPilot

DevOps

Terraform for Cisco IOS XE: Network Automation

Automate Cisco IOS XE devices with Terraform: ciscodevnet/iosxe provider, RESTCONF/NETCONF, configuration drift management, and CI-driven changes.

LLuca Berton1 min read

Cisco IOS XE runs on Catalyst 9000, ASR 1000, ISR 4000/1000, and CSR/Cat8000v in cloud. The official ciscodevnet/iosxe Terraform provider talks RESTCONF to the box for declarative config — VLANs, interfaces, routing, ACLs all live in HCL.

For the multi-vendor overview see Cisco / Junos / Arista combined article. This article focuses on IOS XE alone.

Provider

# 
terraform {
  required_providers {
    iosxe = {
      source  = "CiscoDevNet/iosxe"
      version = "~> 0.5"
    }
  }
}
 
provider "iosxe" {
  username = var.username
  password = var.password
  url      = "https://${var.device_ip}"
  insecure = false # use real certs in prod
}

VLAN + Access Port

# 
resource "iosxe_vlan" "users" {
  vlan_id = 100
  name    = "USERS"
}
 
resource "iosxe_interface_ethernet" "g1_0_5" {
  type                  = "GigabitEthernet"
  name                  = "1/0/5"
  description           = "user-port"
  switchport_mode_access = true
  switchport_access_vlan = iosxe_vlan.users.vlan_id
  shutdown               = false
}

OSPF Process and Interface

# 
resource "iosxe_ospf" "core" {
  process_id = 1
  router_id  = "10.0.0.1"
}
 
resource "iosxe_ospf_interface" "lo0" {
  interface = "Loopback0"
  process_id = iosxe_ospf.core.process_id
  area      = "0"
}

Best Practices

#
  • Pin RESTCONF feature explicitly (ip http secure-server, restconf).
  • Use service accounts with a Terraform-only username and AAA logging.
  • CI dry-runs: terraform plan against the device, then a human approves apply.
  • Drift detection: schedule terraform plan daily; alert on unexpected diffs.
  • Lock state in Terraform Cloud / Vault — network state corruption is catastrophic.
#
#Terraform#Cisco IOS XE#RESTCONF#NETCONF#Network Automation

Share this article

Related articles